FireScam malware phishing campaign impersonates RuStore app marketplace
Take action: One of the easiest ways to install malware on Android is through "alternative app stores" and direct .apk files that promise some advanced functionality, a premium app or a "free" version of a commercial app. Remember - there is no such thing as free lunch. Keep to the official vetted (albeit imperfectly) app stores. Otherwise, you will pay with your data, possibly even with your bank accounts and cryptocurrency.
Learn More
A new Android malware campaign called FireScam has emerged, using phishing and sophisticated techniques to steal sensitive data from mobile devices by masquerading as a premium version of the Telegram messaging app. Note - there is no such thing as "premium Telegram".
The malware is distributed through phishing websites hosted on GitHub that impersonate RuStore, a Russian alternative to Google Play launched in May 2022 following Western sanctions. This distribution method targets users seeking alternative app markets, exploiting the trust placed in seemingly legitimate platforms.
The infection process begins with a dropper module named GetAppsRu.apk, which is heavily obfuscated to evade detection. This malware targets Android versions 8 through 15 and requests extensive permissions to:
- identify installed apps,
- access device storage,
- install additional packages.
Once installed, it installs the main payload, Telegram Premium.apk that requests permissions to
- monitor notifications,
- clipboard data,
- SMS,
- telephony services.
FireScam presents users with a deceptive WebView screen mimicking Telegram's login page to harvest credentials. The malware then establishes communication with a Firebase Database server , where it uploads stolen data in real-time and registers the compromised device with unique identifiers for tracking. This application maintains a persistent WebSocket connection, enabling real-time command execution, data exfiltration, and surveillance parameter adjustments.
The malware is tracking screen activity changes, e-commerce transactions, and user interactions lasting more than 1,000 milliseconds. It captures everything from keystrokes and drag-and-drop actions to clipboard content and password manager auto-fills. FireScam also monitors USSD responses, system notifications, and inter-app data exchanges, creating a comprehensive surveillance system that leaves virtually no user activity unobserved.
The stolen data is temporarily stored in the Firebase database before being wiped, suggesting the attackers quickly filter and transfer valuable information to a more secure location. While the operators behind FireScam remain unknown, security researchers at Cyfirma characterize it as a "sophisticated and multifaceted threat" that demonstrates the evolving complexity of mobile malware attacks.
Users are advised to exercise extreme caution when downloading apps from unofficial sources and to be particularly wary of offers for "premium" versions of popular applications.
